Creating Classification Labels and Policies in Azure Information Protection

Information Rights Management is a subset of Digital Rights Management technologies which prevents sensitive information from the risk of accidental, unauthorized modification, deletion and misuse

Azure Information Protection ( AIP ) is a Service offered by Microsoft which gives the features and functionalities of Information Rights Management. With AIP, an organization can classify, label  and protect the sensitive information, which enables them to  have visibility over the different types of Sensitive data across the locations

Steps to Configure Policies in Azure Portal

Before we configure the Global polices, it is always recommended to get the Taxonomy crisp and clear. Do not create too many labels and sub-labels

Here in this example, I am keeping the taxonomy straight forward

Restricted – For highly sensitive content

Confidential – For Sensitive content

Internal – For the content within the Organization

Public – For all other content

Steps to configure Labels and Policies in Azure Portal 

Login to Azure Portal 

Search for Azure Information Protection



Add new label 


Give a name to the label and add description. Navigate to Protect and add the users/members for consuming the permissions

Protection Settings: Select Azure Key/HYOK  as per the organization structure, give file expiration settings and add permissions based on the AD group or individual recipient addresses. Set the permissions(co-owner, co-author, reviewer, viewer etc.) as appropriate



I created four labels as Internal, Public, Confidential & Restricted



Create a policy to map this label

Select the policies under classifications and hit on ‘ Add a new Policy’


Give a name to the policy and select the label from the drop down list to which this policy to be applied.


Now, as we created labels and polices in Azure portal, let us verify if these are getting reflected in the clients machines.

Prerequisites for installing AIP Agent in Clients:

  1. Azure Active Directory : Make sure the on-premise identities are in sync with Azure identities. Azure AD Connect is used to sync the identities. If the users are in O365, they can directly download the office apps from
  2. Supported client platforms: Windows 7 (SP1), Windows 8, Windows8.1, Windows10 with .Net Framework 4.6.2
  3. Office Applications: Office 365 Pro plus, Office Professional Plus  2019/2016/2013(SP1)/2010(SP2)
  4. Connectivity to Azure Services over internet: Make sure that the URL’s are allowed and necessary ports are open as per Network Prerequisites
  5. Download AIP client from here


Installing AIP client





Sign into Office apps with the Organization account which is enabled with AIP License and as you open them, you see the labels appearing in the apps






Now, the labels when selected, the policies configured for each label will be applied to the content and the sender of the email or author of the document will have visibility on the content life cycle












1 thought on “Creating Classification Labels and Policies in Azure Information Protection

  1. Pingback: Enforcing protection controls to different recipients with Azure Information protection | Tech Ripples

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s